Do not publicize Shaarli's version number at a "well known" location #122
Comments
|
Pull request at #123 |
|
Copying my comment from #89 (comment): @nicolasdanelon htaccess is apache specific. See Pull request #123. Edit: anyway preventing version disclosures is pointless in the end, because proper vulnerability scanners like Metasploit provide modules to detect version based on heuristics, small page rendering differences, etc. I've put up #123 but this is likely the last time I deal with version disclosures. Heck, even a simple nmap scan can tell your OS/apache/other services version even when you properly disable headers. Security through obscurity blah blah. Edit2: Have a look at wpscan which is able to tell exact version for both core and plugins of the world's most used blog CMS. Resistance. Is. Futile. |
|
Yes, agreed. At this moment, all Shaarli's in use in the world that haven't switched to the community version, and the latest version with that, are broadcasting their version number, so removing it is slightly better, but it's not going to make or break the security of the whole ecosystem. Thanks for the PR. |
Reported by @nicolasdanelon in #89 (comment), Shaarli's version number is visible at http://host.com/shaarli_version.txt
This is somewhat similar to sebsauvage#214 and #81 although it doesn't involve the version number in the HTML, but rather that there is a file at a fixed location that contains the Shaarli version.
We could either include a
.htaccessfile (but that would only work for Apache, I run nginx...), or we should rethink the current update verification mechanism that requires this file to exist. Please discuss.The text was updated successfully, but these errors were encountered: